Today we have the pleasure of celebrating the fact that we have reached the milestone of 200+ followers on WordPress. Since we started this blog, we have had such a great time connecting with everyone. we never expected to actually to connect with other people in the blogging community.

we are so incredibly thankful for each and every one of you who follows and comments on my blog posts. Please know that!

The internal audit checklist for HIPAA is one of the primary elements of HIPAA implementation. The passage of the Health Insurance Portability and Accountability Act (HIPAA) by the U.S. Congress in 1996 was aimed at regulating the way and process by which healthcare institutions across the country reveal the medical information of their patients.

The Department of Health and Human Services (HHS) is tasked with monitoring the compliance aspect of the law, i.e., it monitors how medical organizations comply with the provisions of HIPAA. In order to ensure that medical organization stay compliant with the provisions of HIPAA; auditors measure these compliance aspects with a checklist when testing companies’ medical data recording processes.

The internal audit checklist for HIPAA, like any other checklist, is a list of do’s and don’ts that a healthcare organization has to look to see if it is complying with its processes relating to medical data sharing and recording. These are the core areas against which auditors prepare and monitor the internal audit checklist for HIPAA:

Analysis and assessment of risk

One of the foremost aspects of the internal audit checklist for HIPAA is the organization’s analysis and assessment of the risk involved in disclosing medical information. Medical organizations of the designated types have to carry these out at regular, periodic intervals in ensuring that they don’t give opportunities for causing data breaches. Since healthcare organizations are involved in collecting, keeping and transferring of medical information; it is necessary for them to keep analyzing and assessing the risk involved in data breaches.

Gap analysis

In this category of internal audit checklist for HIPAA; auditors compare regulatory guidelines to security systems in the corporate sector. The idea is to help the medical organization outline its security requirements vis-a-vis its security infrastructure

Remediation

In this internal audit checklist for HIPAA; the healthcare organization relies on a number of technologies and steps to prevent any breach of data, and to also offset the damage done when a breach happens. The primary tools used in this internal audit checklist for HIPAA include software used for tracking defects, for process reengineering, CRM and a few ERP applications.

Planning for contingencies

An internal audit checklist for HIPAA also includes a set of plans that the healthcare organization has to have to be able to plan for contingencies. A healthcare organization can expect emergencies or disasters from any source, and these can be of any kind. An internal audit checklist for HIPAA should include plans for anticipating and dealing with these.

Personnel policies

The policy a healthcare organization puts in place for its personnel is an important point in the internal audit checklist for HIPAA. It has to decide what kinds of trainings its staff members receive for implementing HIPAA compliance.

Patrick McMullan will speak on how the microchip technology has impacted the employee experience and workplace productivity at Three Market Square — and address concerns about privacy, GPS tracking, and worker satisfaction.

Three Square Market President Patrick McMullan will share the experience at the upcoming 2017 Human Resources Technology Exchange in Dallas, which will take place Dec. 10-12.

“The international marketplace is wide open, and we believe that the future trajectory of total market share is going to be driven by whoever captures this arena first.”

Patrick McMullan

The Wisconsin-based provider of self-service breakroom vending machines had a “chip party” in July, during which 50 out of the company’s 85 employees agreed to trade in their employee IDs and passwords for a chip to be inserted in between their forefinger and thumb. The chipped employees can enter the building, sign into their computers, and pay for snacks, all with just a wave of the hand.

The decision to chip was driven by an aim to get ahead of the growing wearable technology trend, according to a release. By 2020, 75 million devices are predicted to be voluntarily in use.

“The international marketplace is wide open, and we believe that the future trajectory of total market share is going to be driven by whoever captures this arena first,” McMullan said in a BBC article from last summer.

After natural disasters, HHS sometimes waives certain HIPAA privacy rule requirements. That’s not usually the case after man-made disasters, such as Sunday night’s massacre in Las Vegas, where more than 50 were killed and hundreds were wounded after a gunman opened fire at a music festival.

Because the HIPAA privacy rule already allows information disclosure in certain cases, such as when public safety is threatened, and because there has been no declaration of a public health emergency, HIPAA waivers have not been necessary in this case.

Local hospitals will have to be careful, especially with so many requests for information from families, friends, and the media, said Mark Swearingen, a Hall Render attorney focused on health information privacy and security.

“Hospitals are going to have to be very careful about vetting and authenticating the individuals who might be calling in to make sure that they’re the type of person they can be sharing information with,” he said.

After Hurricane Harvey struck Texas in August, HHS Secretary Dr. Tom Price waived certain HIPAA penalties, which can range from $100 to $50,000 per violation. Providers would not be penalized for failing to giving out notices of privacy practices, for instance, nor would they be hit for not granting a patient the right to request privacy restrictions.

Meanwhile, other provisions of the HIPAA privacy rule were still in effect, including those that allow providers to disclose protected health information to patients’ families or others involved in their care. Other provisions allow providers to give out protected health information—including to law enforcement—if doing so would lessen a threat to those patients or to the public.

Given those rules, “when you have a shooting, the department has taken the position that a waiver isn’t necessary,” said Marcy Wilder, a privacy and cybersecurity lawyer with Hogan and Lovells, noting that no penalties were waived after the 2016 mass shooting that killed 49 people and injured 58 at Orlando’s Pulse nightclub. “The department wants to be careful here, because if you issue a waiver, that becomes a suggestion that without a waiver, these types of disclosures aren’t permitted,” she added.

Swearingen warns that Las Vegas hospitals therefore need to be cautious. “The hospital, I would hope, in this circumstance is going to be fairly guarded.”

A look at the nature and numbers of HIPAA breaches over just the couple of years makes stark reading: On the one hand, in terms of numbers; 2016, with about 16 million records breached was a pretty good year compared to the previous year, in which about seven times that number, more than 113 million, were breached. But the bad news is that 2016 saw more Covered Entities reporting breaches than in any other year since the Office of Civil Rights (OCR) started publishing its data on healthcare record breaches.

These huge numbers show that not only is there a big demand for these records in the black market -they are in greater demand than even social security and credit cards -Covered Entities and Business Associates need to all that it takes to avoid HIPAA fines and penalties.

The federal government has not been lax on this aspect. It is being extremely vigilant about protecting healthcare records. It has been consistently urging the HHS to take a serious view of the increased incidence of cyberattacks that has resulted in medical records theft and has suggested many measures towards ensuring this. The fact that there has been a steady increase in the global spending on cybersecurity-related hardware, software, and services and could reach $100 billion in 2020, according to estimates by the International Data Corporation (IDC), suggests the seriousness with which this issue is being viewed not just in the US, but all over the world.

One of the primary requirements that Business Associates need to comply with is adherence to HIPAA mandates regarding the handling and use of health information. This is spelt out in the HITECH Act, a recent update made to overall HIPAA regulations. It is mandatory for a Business Associate to comply with a wide range of regulatory obligations, which include certain privacy obligations, security standards, and breach notification requirements.

However, there is a lot of confusion and misunderstanding among Business Associates about their roles and requirements. They must be completely knowledgeable about all the aspects of their roles, functions and requirements before they enter into agreements of contracts with subcontractors and vendors for their services

Learning about ways of avoiding HIPAA fines and penalties

Jay Hodes, who is President and Founder, Colington Security Consulting, LLC, will be providing thorough understanding of the roles and requirements of a Business Associate and Covered Entities in HIPAA enforcement at a webinar that is being organized by MentorHealth, a leading provider of professional trainings for the healthcare industry. Please visit What should Entities do to avoid HIPAA fines and penalties? to get complete clarity of the ways of avoiding HIPAA fines and penalties.

Clarity on how to avoid HIPAA fines and penalties

The aim of this learning session is to help businesses understand what it means to be a Business Associate and know what required safeguards, policies and procedures must be in place or make sure that their current compliance program is adequate and can withstand government scrutiny.

Jay will highlight the importance of being compliant with the HIPAA requirements for an organization if it has to avoid HIPAA fines and penalties. The ways by which a Business Associate or Covered Entity can provide the appropriate patient rights and controls on its uses and disclosures of Protected Health Information (PHI) and what all it has to have in place for doing so, will all be explained.

Disasters, which can ultimately lead to a data breach, come in various forms – natural, man-made and technical. HIPAA, the HITECH Act, the Federal Trade Commission and the Securities and Exchange Commission are just a handful of entities requiring that the confidentiality, integrity and availability of the sensitive information (e.g., protected health information (PHI) and personally identifiable information (PII)) remain intact. Although federal HIPAA has distinct categories (e.g., covered entity, business associate, and subcontractor), other state or federal government entities use “covered entity” to mean any person that creates, receives, maintains or transmits PHI or PII.

HIPAA sets forth three main categories of safeguards: administrative, physical, and technical safeguards. Often times, these categories overlap. For example, the administrative requirement of a sanction policy compliments the physical requirement of two-factor identification for building access.

Below are a couple of select sections from the Code of Federal Regulations (CFR), which organizations should be particularly vigilant about in relation to disasters.

•45 CFR §164.310 (Physical) – requires that policies and procedures for facility access in order to restore lost data under the disaster recovery and emergency access plan.

•45 CFR §164.308 (Administrative Safeguards) – multiple requirements are set forth under this particular section of the CFR. For example:

The Value and Importance of Health Information Privacy

Ethical health research and privacy protections both provide valuable benefits to society. Health research is vital to improving human health and health care. Protecting patients involved in research from harm and preserving their rights is essential to ethical research. The primary justification for protecting personal privacy is to protect the interests of individuals. In contrast, the primary justification for collecting personally identifiable health information for health research is to benefit society. But it is important to stress that privacy also has value at the societal level, because it permits complex activities, including research and public health activities to be carried out in ways that protect individuals’ dignity. At the same time, health research can benefit individuals, for example, when it facilitates access to new therapies, improved diagnostics, and more effective ways to prevent illness and deliver care.

The intent of this chapter1 is to define privacy and to delineate its importance to individuals and society as a whole. The value and importance of health research will be addressed in Chapter 3.

CONCEPTS AND VALUE OF PRIVACY

Definitions

Privacy has deep historical roots (reviewed by Pritts, 2008; Westin, 1967), but because of its complexity, privacy has proven difficult to define and has been the subject of extensive, and often heated, debate by philosophers, sociologists, and legal scholars. The term “privacy” is used frequently, yet there is no universally accepted definition of the term, and confusion persists over the meaning, value, and scope of the concept of privacy. At its core, privacy is experienced on a personal level and often means different things to different people (reviewed by Lowrance, 1997; Pritts, 2008). In modern society, the term is used to denote different, but overlapping, concepts such as the right to bodily integrity or to be free from intrusive searches or surveillance. The concept of privacy is also context specific, and acquires a different meaning depending on the stated reasons for the information being gathered, the intentions of the parties involved, as well as the politics, convention and cultural expectations (Nissenbaum, 2004; NRC, 2007b).

Our report, and the Privacy Rule itself, are concerned with health informational privacy. In the context of personal information, concepts of privacy are closely intertwined with those of confidentiality and security. However, although privacy is often used interchangeably with the terms “confidentiality” and “security,” they have distinct meanings.Privacy addresses the question of who has access to personal information and under what conditions. Privacy is concerned with the collection, storage, and use of personal information, and examines whether data can be collected in the first place, as well as the justifications, if any, under which data collected for one purpose can be used for another (secondary)2 purpose. An important issue in privacy analysis is whether the individual has authorized particular uses of his or her personal information (Westin, 1967).

Confidentiality safeguards information that is gathered in the context of an intimate relationship. It addresses the issue of how to keep information exchanged in that relationship from being disclosed to third parties (Westin, 1976). Confidentiality, for example, prevents physicians from disclosing information shared with them by a patient in the course of a physician–patient relationship. Unauthorized or inadvertent disclosures of data gained as part of an intimate relationship are breaches of confidentiality (Gostin and Hodge, 2002; NBAC, 2001).